« I am a blog person | Main | Patriot Act Section 215 lawsuit ruling expected soon »

Comments

Interesting legislation. Something I've wondered about (and suggested in a couple films) is the notion of tracking personal information (and particular books selected) based upon a person's lending record.

Paul - thanks for the updates. I just added a new post at the top of my blog linking to your comments.

Thank you also for your invitation to the library community to send a representative to the study group - I'm checking around.

BREAKING NEWS:

Senator Simitian is attempting a "Hail Mary" move to give new life to SB 682. He has "gutted-and-amended" SB 768 (originally dealing with "Marine finfish aquaculture") on the Assembly floor and has inserted the most recent language found in SB 682. This can happen when one bill is abandoned by it's author -- which, apparently, happened to SB 768.

It is never over until it is over, but I still believe the bill is dead.

This is a desperate move on Simitian's part and will carry a high price. He is essentially attempting to circumvent the legislative process by giving the finger to the Assembly Appropriations Committee, which held back SB 682 to study it's financial affect on California.

We are now accustomed to the underhanded tactics of those promoting SB 682 - now resurected as SB 768. We knew this was likely to happen and we are ready for it. What is happening further illustrates the problem: those who want this law enacted are unwilling to let anyone look too closely at it. The purpose of the bill isn't to regulate the techology - the purpose of the bill is to ban the technology either directly or indirectly by making it too expensive or ineffective to use. And they are comfortable achieving that goal by hook or by crook.

Extreme views engender bad laws.

Okay, one last observation: SB 682 is now SB 768 - which originally pertained to "Marine finfish aquaculture." But the basic nature of SB 768 hasn't really changed: even though the original content has been stripped out and replaced with SB 682, there is still something fishy about it.

I can hear the groans. Please forgive me, sometimes I just can't help myself.

Any bill regulating RFID will impact library use significantly considering the already extensive use of RFID in libraries. A preliminary study group is going to be set up, and someone representing the concerns of the library community will be welcomed. Would you or someone you recommend be interested in being involved in this bill drafting process?

Thank you for asking, Mary. The high tech coalition that coordinated the opposition to SB 682 is in the initial stages of formulating a bill to address privacy concerns. But even at this early stage, some fundamental themes are apparent.

First of all, no smart card uses will be banned. The focus should be on punishing bad behavior, not punishing technology. We think librarians are responsible public servants who care about the privacy of their patrons. Libraries should be able to use secure smart card technology to dramatically improve services to library patrons while assuring that personal information remains private. They do this now admirably. There is no reason to fear that they will stop performing this service with such integrity.

The key to smart card privacy protections is to recognize that not all smart card uses are equally risky. This was the primary problem with SB 682 - it attempted to impose very harsh, very expensive encryption ultimately on all smart card uses, whether a particular use needed encryption or not.

Let's look at garage cards and secure building ID cards as examples. These cards carry a long number on the chip inside of them - and that's all they have on them. The card reader reads this number and is programed to raise the gate or open the door for anyone carrying a card with an authorized access number on it. The reader doesn't know any personal information about the card owner. All it knows is to open the gate or unlock the door and let them in.

Holding nothing more than a number, these cards are already encrypted. No additional encryption (encryption is nothing more than making small numbers larger) will make the card carrier any safer. All additional encryption will do is make the card more expensive and slower to read.

Smart cards made for libraries are much the same. But what about something like a passport? Passports have more than just numbers on them. Passport smart card techology will have lots of information on them like photos and addresses. This kind of information is enormously more sensitive than a random number chain. Also - unlike secured servers used in libraries that cannot be hacked - passport information exists in government data bases that can possibly be hacked. Therefore, a much higher level of protection is required.

The envisoned bill will recognize that one size of encryption does not fit all, nor should it. A better bill will impose a sliding scale that will require greater security measure for identification cards or documents that carry sensitive information. The more sensitive, the more protections are warranted.

It is likely that the bill will also require the use of a card jack that is made of material that renders the card impossible to read. The Federal Government will require that all passport covers be made of this material so that the information in a passport can only be accessed if the passport owner manually opens the passport and holds it up to a reader.

Such card jackets will allow those who are concerned with their privacy to satify their concerns by placing whatever secure smart cards they have in a sleeve or even in a wallet or purse made of these materials.

Finally, any bill must also promulgate reasonable consequences for anyone misusing the technology. SB 682 attempted to impose penalties, but was written so poorly that these penalties would never have survived a legal challenge. We will make sure that any successor bill avoids these problems.

I also would like to see legislation that further criminalizes data base breaches. Despite what the proponents of SB 682 have said, there are no instances of any secure smart card being "skimmed." The privacy risk that everyone is concerned with is in the data bases that connect the encrypted number on the secure smart card with the card holder's real name. Something has to be done to secure the data in a data base to prevent security breaches from happening.

I am told that current California law sufficiently criminalizes data base hacking, but I want to satisfy myself that this is true, and right now I'm not sure.

Well, that's about it for now. I hope this gives you some insight into what is coming down the road. I will be happy to post more as the process progresses.

What would a smart card privacy law entail?

The article that Mary posted above sheds some light on the true intent of Senator Simitian's bill. There is absolutely no reason why libraries cannot use smart card technology to provide better services to library patrons. It is inexpensive, incredibly efficient and absolutely private. Books would contain a chip with an identifying number. Smart library cards would contain an identification number no different than a bar code or a number printed on the card. A patron with a smart library card could pick up a stack of books and walk out with it. Instead of a metal detector that is used to prevent thefts, a card reader would automatically inventory the books and check them out to the patron.

This is what happens now, except that it is faster and more accurate with smart card technology. Privacy is assured because the library's computer with the ability to match up the numbers with patron names is not connected to the internet and cannot be "hacked." In other words, if someone somehow "skimmed" the number off of a partron's card, all they would get is a randomly assigned number that tells them nothing about the parton.

When CLA tried to point this out to Senator Simitian and those privacy advocacy groups sponsoring the bill, no one listened. Instead, the ban on library card use remained in the bill.

And that was the point of the bill. It pretended to be technology friendly, to only want a few years to study the technology, but its real purpose was to ban the use of this technology in libraries - for reasons that made absolutely no sense when you looked closely enough at the bill.

And that's why the bill was killed in the Appropriatioins Committee. Every justification for the bill turned out to be either a misrepresetation or an outright lie.

The electonics industry fought to stop SB 682. But even though it is now dead for the rest of the year, the industry now intends on sponsoring a smart card privacy law

Here's the California Library Association lobbyist report August 26th -

"...Yesterday, two bills that are being closely monitored by the CLA Legislative Committee, chaired by Mark Smith, were held on the "suspense file." Specifically, here are some of the details about the two bills held in committee yesterday:

SB 682-SIMITIAN: “THE IDENTITY INFORMATION PROTECTION ACT OF 2005”
”The bill requires that certain security measures be implemented into state and local government-issued identification documents that incorporate Radio Frequency Identification (RFID) technology, with certain specified exceptions, and for three years, prohibits the use of RFID in four classes of government documents including: 1) drivers licenses, 2) ID cards issued to K-12 students, 3) government-issued medical benefit cards, and 4) library cards issued by a public library.” (Source: Assembly Appropriations analysis)

Earlier in the year, we previously reported that our office received a call from the Senate Office of Research who was conducting confidential research on the use of RFID tags in library cards. When we polled the CLA Legislative Committee, they indicated that while the books and other materials at the library may contain RFID tags, the actual library cards have bar codes or another identifier, not RFID chips. We later received confirmation that it was Senator Simitian who commissioned the inquiry at Senate Office of Research. As many of you know, Senator Simitian has long been one of CLA’s biggest supporters, and we believe he was trying to best determine how much libraries would be impacted by the measure in advance of SB 682 being introduced. A few days later we attended a comprehensive briefing by the sponsors of his bill, the American Civil Liberties Union and the Electronic Frontier Foundation. They explained the bill was prompted by a situation at a school in Northern California where students were asked to wear a badge containing an RFID tag, while on campus, to track their attendance at the school. Scanners were placed above doorways, etc. Parents objected to the invasive badges and the campus quickly disbanded the program. In April, the bill had two substantive hearings in the Senate Judiciary Committee, but no organized opposition was present at either hearing, which surprised us. The bill then passed the Senate Floor and headed over to the Assembly.

In the meantime, the CLA Legislative Team had established an excellent Task Force, consisting of Chair, Mark Smith (Riverside County Library System), Jackie Griffin of the Berkeley Public Library, and Kathleen Smith at the Fresno Public Library. They had significant concerns that because the RFID technology is “young yet, it would be detrimental to pass a piece of prohibitive legislation so early in the game,” and requested that CLA submit language to Senator Simitian calling for an amendment to allow for future ”hybrid” or permissive options. The public library could offer 1) a barcode system, or, 2) if the library offered an RFID card system and a barcode system, the patron could choose their style of card, using an opt-in approach, and would sign a waiver of informed consent if they chose the RFID model. Unfortunately, the author and the sponsor rejected our language and the prohibition for public library card usage remained in the bill.

The bill faced a much more difficult time in the Assembly Judiciary Committee. We spent a great deal of time speaking with committee staff regarding our concerns, and ultimately the thorough 11 page committee analysis posed the question: “The Committee may wish to explore with the author the possibility of permitting all educational institutions and libraries to use RFID technology with security protections.” Despite the consultant’s argument, the author was resistant to exempting public libraries from the bill, but agreed to exempt higher education, partially because the UC system, according to the analysis, “had already invested several million dollars into RFID technology for use on its campuses and in its libraries.” At this hearing, a large coalition of opponents turned out, representing various electronics groups, including the American Electronics Association, Oracle, Texas Instruments, etc. and even the state’s own Department of Consumer Affairs who is concerned with Homeland Security issues. At the end of the hearing, Chairman Dave Jones said, “I personally have concerns with limiting the technology and with the limiting of certain classifications of documents, but I know the author will continue to work with everyone.” The bill passed on a vote of 6 “ayes” (all Democrats) and 3 ”noes” (all Republicans).

Subsequently, the Assembly Appropriations Committee identified costs to state and local agencies of several dollars per card and several hundred dollars per reader station for the new, enhanced systems and massive encryption requirements that would be required under this bill. Also, the Committee consultant identified an unusual potential cost brought about by the bill - civil actions. The consultant warns SB 682 could cause “potential unknown cost to the state or local agencies to defend against civil actions brought pursuant to alleged non-compliance” and “potential costs for adverse judgments against the state or local agencies in such actions.” In a surprise twist during Thursday’s Appropriation’s “suspense file” hearing, Assembly Appropriations Committee Chair, Judy Chu, announced that she would be holding “20 bills over as two-year bills. If you don’t hear a bill number called out, that means we are holding on to it until January.” SB 682-Simitian was one of the 20 bills held by the Committee, with the opportunity for it to be resurrected any time next year. However, the San Jose Mercury News is reporting that the Senator has stated that he would vow to “try to revive it before the Legislature adjourns for the year on Sept. 9.” The Senator would need to obtain a significant amount of rule waivers and obtain the blessing of Assembly and Senate Leadership to be able to move his bill before the end of session, which would be quite difficult."

UPDATE on Senate Bill 682(Simitian):

Apparently, heaven has helped those of us who are still capable of thinking.

Today the California Assembly Appropriations Committee prevented SB 682 from going to the Assembly floor for a vote. SB 682 is now a "two year bill." This means that it cannot be brought up again for consideration until January 2006, and if the bill somehow passes, it won't become law until January 2007.

Here is how it happened: those who supported the bill - those who wanted to ban the use of a new technology - tried to frighten people. They did this by lying. They lied about the dangers of the technology. They lied about how it can be misued. They lied about how it has been misused in the past. They lied shamelessly and repeatedly. They did it to frigten people enough to pass a law that helped no one except selected businesses making more expensive, inferior products.

Those who joined together to fight the bill countered these lies with the truth. No kidding. Just the plain, simple truth. They told the truth over and over again to anyone who would listen. They said that RFID and smart cards were created for the purpose of advancing privacy interests. They pointed out that, despite there being over 200,000 of these products in use, there has never been even one instance of a smart card being "hacked" or "skimmed." They explained that the real problem was data bases being hacked - a problem the bill totally ignored. They explained that SB 682 pretended to be open minded about smart card technology but was really a ban of the technology because the bill imposed such a strict standard of encryption on smart cards that it would make the technology too expensive to be purchased, thereby ruining small businesses and putting people out of work.

And it worked. The truth actually won the day. And those who tried to pull a fast one on us using fear tactics learned that you cannot fool all of the people all of the time and that the ends don't always justify the means.

Sometimes the system works. It worked today. Imagine my surprise. Imagine my utter relief and delight. This is a great day, yet so few will ever know that a great victory was won today. The Light of Reason actually beat back the Darkness of Fearful Ignorance and Superstition. In an age marked by the decline of reason and the rise of proud idiots, where the best seem to lack all conviction while the worst burn with a passionate intensity, the Luddites actually lost.

The author of the bill pretends that it is just a three year "pause" in uses of the technology for library cards, and that it allows other uses if they comply with a strict encryption standard. This is a smoke screen. The bill is designed to outlaw all uses of the technology by making it too expensive to make, sell and to use. The three year "pause" will ruin small businesses that supply the alphanumeric card market - i.e., cards with a random series of numbers and letters that you can use to automatically take books out of a library or gain access to a secured building but is useless to anyone who might somehow get the number. The bill will require all new users of the technology to satisfy a huge and expensive encryption standard - even though a randomly assigned number chain is already encrypted. In otherwords, the bill requires more expensive cards and more expensive readers (the ones being used now can't read the kinds of encryption the bill imposes)without one single bit of additional security.

The is supported by people who are afraid of anything they don't take the time to understand. You know who they are - the ones who don't read or have any use for libraries anyway. They are automatically afraid of any emerging technology - no matter how useful, no matter how safe, no matter how private. Because they don't get it, they want to ban it. They are eager to throw the baby out with the bath water because, well, you know why. It is just to depressing to try to explain.

God Bless America, and heaven help those of us who are still capable of thinking rationally.

Mary,
I posted the info about this bill to a list where privacy and technology folks hang out, and one of them, who I trust, said that he didn't think that the courts would view the card key as an identifier, but as a key. Then he said this (gulp!) about the proposal to have RFID chips in passports:

"I'm much more worried about the RFID passports that will be implemented this fall. It would be straightforward to make a bomb that would go off only if
some number of traveling Americans was in proximity to it. There are many other ways RFID passports are a Really Bad Idea"

It's hard to imagine all of the ways that RFID could be mis-used, but this one strikes me as particularly chilling.

kc

Mary,
It looks to me that not only would this law outlaw library cards with RFID, it might even outlaw the cards that many people use to "click" their way into an office building. Each of those cards has a number that is linked in a database to an individual employee. This bill looks like a non-starter because it is overly broad.

kc

The comments to this entry are closed.